[Samba] "wbinfo --sid-to-gid" returns false gids

Rowland Penny rowlandpenny241155 at gmail.com
Fri Jul 17 12:25:15 UTC 2015 

On 17/07/15 12:03, Andrej Surkov wrote:
> I've got this on the backup DC
>
> root at bdc:~# wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516
> 3000000

OK, you have problems there, but not what you think. On my first DC 
(note I don't have a 'primary' or a 'backup' DC, I just have DC's) if I 
run 'wbinfo --name-to-sid=Domain\ Controllers' , I get:

S-1-5-21-2025076216-3455336656-3842161122-516 SID_DOM_GROUP (2)

If I then run 'wbinfo 
--sid-to-gid=S-1-5-21-2025076216-3455336656-3842161122-516' , I get:

3000025

But if I run the same command on my other DC, I get:

3000021

This is because idmap.ldb is not replicated between DC's . This can be 
checked by running 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb' 
on both machines and then searching for the relevant xidNumber. On the 
first DC, I get:

dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516
cn: S-1-5-21-2025076216-3455336656-3842161122-516
objectClass: sidMap
objectSid: S-1-5-21-2025076216-3455336656-3842161122-516
type: ID_TYPE_BOTH
xidNumber: 3000025
distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-516

On the second DC, I get:

dn: CN=S-1-5-21-2025076216-3455336656-3842161122-516
cn: S-1-5-21-2025076216-3455336656-3842161122-516
objectClass: sidMap
objectSid: S-1-5-21-2025076216-3455336656-3842161122-516
type: ID_TYPE_BOTH
xidNumber: 3000021
distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-516

So, provided you only use the DC's for authentication, this will not be 
a problem.

Now we come to your problem, you seem somehow to have '3000000' mapped 
to 'Domain Controllers', on *both* my DC's, if I search in idmap.ldb for 
'3000000' I get this on both:

dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

Running 'wbinfo --sid-to-name=S-1-5-32-544' produces:

BUILTIN\Administrators 4

This is correct and it this you need to fix, have you any idea how your 
'Domain Controllers' group got mapped to the 'Administrators' group?

Rowland

>
> while
>
> root at bdc:~# ldbedit -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-1166961617-3197558402-3341820450-516
> shows correct xid 3000019
>
> and on the primary DC I've got
>
> itk at dc:/$ wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516
> 3000019
>
> which is actually correct.
>
> How's that passible?
>
> Andrej
>

More information about the samba mailing list